VENDOR SECURITY MANAGEMENT SYSTEM 

FIELD OF THE INVENTION 
[0001] This invention relates to a method of providing a database of security information for a 
plurality of vendors from which a client can review and select a vendor having such security 
measures necessary to protect certain information the client desires to keep confidential. 

BACKGROUND OF THE INVENTION 
[0002] Since the proliferation of the internet, organizations have been migrating to outsourced 
services as a means of cost reduction. The migration has created a large industry. It has also 
created a large internet technology (IT) security problem. For example, the recent passage of the 
Gramm-Leach-Bliley Act (GBLA) requires financial institutions to verify that their vendors 
maintain the appropriate level of IT security. The recent HIPAA regulations place similar 
requirements on the healthcare industry. Other industry segments are also adopting similar 
requirements for various standards. 

[0003] Early in this process, security consisted primarily of password and physical access 
control. As businesses migrate toward the internet to provide connection between organizations 
and their outsourced service providers, the attention to IT security is growing rapidly in both 
scope and level of detail. Therefore, the requirement to verify the IT security of the outsourced 
service providers has also increased. 
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[0004] For example, financial institutions contract out a variety of services, such as loan 
processing, credit card processing, home equity services, line of credit services, etc. to outside 
service providers. However, in carrying out these services for the financial institutions, the 
outside service providers will necessarily have access and control over non-public information, 
such as the card holders' home addresses, bank account information, credit card information, 
investment holdings, etc. This non-public information is the focus of stringent security 
measures, which are designed to prevent unauthorized persons from having or gaining access to 
this information. 

[0005] In response to the threat to this information, rules, regulations and procedures have been 
designed to ensure its protection. For example, virtually all financial institution regulations and 
major policies are developed and issued on an interagency basis under the direction of the 
Federal Financial Institutions Examination Council (FFIEC). The FFIEC is made of the Federal 
Reserve Board, Federal Deposit Insurance Corporation, Office of the Comptroller of the 
Currency, Office of Thrift Supervision and the National Credit Union Administration. The 
FFIEC has recently updated the IT security section of the IT Examiner's Handbook, the 
guideline for all financial institutions examinations. The guidelines have a wider and more 
technical scope than the previous version released in 1996. This, combined with the GBLA 
requirements, is placing an increased burden on financial institutions and their vendors regarding 
auditing and compliance. 

[0006] Historically, outsourced service providers have been utilizing an SAS70 audit as their 
main source of proof that their handling of client information is appropriate for the level of 
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security required. An SAS70 is the authoritative guidance that allows service organizations to 
disclose their control activities and processes to their customers and their customers' auditors in a 
uniform reporting format. An SAS70 examination signifies that a service organization has had 
its control objectives and control activities examined by an independent accounting and auditing 
firm. A formal report including the auditor's opinion ("Service Auditor's Report") is issued to 
the service organization at the conclusion of an SAS70 examination. The SAS70 was not 
designed as an assessment of IT security best practices. In addition, with the advent of the fast 
paced internet and increase in security breeches with quickly changing breeching techniques, the 
SAS70 is not adequate to provide the required level of information as quickly as the security 
procedures change. 

[0007] Research shows that both clients and their outsourced service providers will incur greater 
costs as a result of this IT security focus. Considering that each client may have many 
outsourced service providers, additional requirements for manpower and financial resources to 
track, collect and verify the outsourced service provider's IT security information will increase 
overhead costs. From the outsourced service providers perspective there are cost increases as 
well. Larger outsourced service providers may have thousands of clients. Because each client is 
requesting IT security information, the outsourced service providers will be inundated with 
requests and burdens of proof. Because of these issues, overhead cost increases will be passed 
onto the end users. 

SUMMARY OF THE INVENTION 
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[0008] It is thus an object of this invention to overcome the above mentioned and other problems 
known to those having skill in the art by using a vendor security management system (VSMS) 
according to this invention. The system enables entities to satisfy the requirements of security 
verification in a structured and cost controlled environment. 

[0009] The VSMS is initially established by creating a database of vendors and their security 
information. This information relates to vendor contract agreements, SAS70 reports, Penetration 
Reports, Information Security Policies, Computer Incident Response Policies, DR Plans, 
Business Resumption Plans, Insurance Coverages, 3 rd Party Vendor Management Policies & 
Programs and/or Annual Financial Reports, as well as other pertinent information. Vendors can 
provide updated information as improvements to their security posture are implemented and 
verified. Once the security information and any subsequent improvements are verified, they are 
added to a database referred to as the vendor knowledge system (VKS), which is established in 
the VSMS. 

[0010] When a client is enrolled in the VSMS, the client can then utilize the system to define, 
document and implement their entire vendor management program and view IT security 
information as well as other pertinent information regarding a vendor that is contained in the 
VKS. 

[001 1] The vendors may also be given a rating depending on various factors. For example, if the 
information to which the vendor has access is high risk information of non-public information, 
such as an end user's address, bank account information, investment holding, etc., the vendor 
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would be assessed as a high risk vendor, requiring high levels of securities. Each vendor could 
be assessed pursuant to the highest level of client information they possess. 

[0012] If the information to which the vendor has access is low risk information, such as name, 
phone number, etc., the vendor would be assessed as a low risk vendor. The security procedures 
and structures required would be lessened in comparison to the high-risk information. 

BRIEF DESCRIPTION OF THE DRAWING 
[0013] The invention will be described in greater detail in what follows and in reference to a 
single drawing, in which FIG.l illustrates the structure of the VSMS system according to a 
preferred embodiment of the invention. 

DETAILED DESCRIPTION OF THE INVENTION 
[0014] The main structure of the VSMS according to a preferred embodiment is illustrated in 
FIG. 1. The VSMS 1 is situated between a plurality of Clients 5, 6, and 7 and Vendors 2, 3 and 
4. Clients 5, 6, and 7 have an obligation to protect certain non-public information that is 
transferred to the Vendors 2, 3 and 4 and is used to perform the services outsourced to them. 
The non-public information to be protected is determined by statute, regulation, or policy by one 
or more of the Clients themselves, the relative Industry and/or the appropriate Regulatory Body 
8. When the Clients 5, 6 and 7 request security information regarding a particular Vendor, they 
either ask the Vendor directly, who will refer the request to the VSMS 1, or the Client, if a 
current subscriber, will direct the request to the VSMS 1 . The VSMS 1 contains a database of 
the security information for all of the Vendors 2, 3 and 4 that have provided their security 



5 



information to the VSMS. The clients can search the VSMS by one or more of vendor name, 
client business units, vendor products, security levels, or other parameters necessary to help 
identify potential vendors or obtain current information regarding one or more of their client 
vendors. When identifying a potential vendor, the client can then contact the vendor to engage in 
outsourcing its services with the knowledge that the non-public information will be protected 
according to the security level identified in the VKS. 

[0015] The database used in the VSMS 1, the VKS 9 is created adding assessment and other 
pertinent information regarding a vendor to the VKS 9. Collection of this information can be 
initiated by either contacting vendors and offering the VSMS 1 services or by vendors contacting 
the VSMS 1 and requesting to be added. An assessment is then conducted to determine the level 
of security maintained by the vendor. The results of the assessment and any additional 
information provided by the vendor are then added to the database. 

[0016] The security measures and information that are examined can range from simple 
password and access procedures to complex business policies involving insurance coverages and 
financial reports. For example, the security information can contain vendor contract agreements, 
SAS70 Reports, Penetration Reports, Information Security Policies, Computer Incident Response 
Policies, DR Plans, Business Resumption Plans, Insurance Coverages, 3 rd Party Vendor 
Management Policies & Programs and Annual Financial Reports. Other information may be 
included which relates to the security measures used by the vendor to protect any non-public 
information. 
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[0017] The assessment is then scanned and/or transferred and stored in a database in the VKS 9 
in the VSMS 1 along with the assessments of other vendors. The VKS 9 is updated periodically 
to provide accurate information regarding vendors and their current security status. Further, if a 
vendor updates its own system or makes any changes, the vendor can provide such updates or 
changes to keep the information stored in the VKS 9 current. 

[0018] The VSMS provides vendors incentive to participate by its simplicity and low cost. 
Without the VSMS, vendors may have to perform several assessments of their security measures 
for a plurality of clients, each time a new client approaches the vendor, an expensive and 
repetitive process. With the VSMS, the vendors need only perform one assessment and provide 
updates on its security measures periodically. All clients can access the VSMS to review the 
assessment and updates for the vendor. As a further incentive to participate in the VSMS, the 
vendors are provided the assessment at a low cost or provided for free. 

[0019] The clients have access to the VSMS by subscribing to the system. Subscription gives 
the client the ability to search within the VKS by any of a variety of methods, such as by vendor, 
keyword, security measures, vendor product type, and other methods that allow for the client to 
locate a vendor having the desired security measures for the particular non-public information to 
be protected. Such a system allows for the client to review current security procedures of its 
current vendors. The system also allows the client to review the security information regarding 
vendors with whom the client is considering a relationship. The assessments are viewable in 
multiple formats to simplify examination and comparison. Examples of formats are the FFIEC, 
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ISO 17799 and HIPAA guidelines; however, other formats may be used which provide the 
necessary information for the client to select a vendor. 

[0020] The VSMS can be used in a variety of specific industry situations. In a preferred 
embodiment, the clients are financial institutions and the vendors are any of the many outsourced 
service providers to the financial industry. For example, in the course of a service provider 
processing a loan, the financial institution must necessarily disclose non-public information, such 
as a name, address, social security number, phone number, bank account information, etc. The 
person seeking the loan, as well as the financial institution, does not want such information to be 
disclosed to anyone other than those making the decision to approve the loan and those necessary 
to manage the loan, thus, they would desire a certain level of security over the information. 
Furthermore, such information is required to be protected by the government through statutes, 
regulations, and the industry itself sets up general guidelines to protect the information. 

[0021] In another embodiment, the clients are businesses and the vendors are recruiting firms, 
personnel management firms, etc. or other outsourced service providers. The client as well as 
the employees or perspective employees would desire certain personal or confidential 
information regarding the employees, the prospective employees, or the client itself that must 
necessarily be disclosed between the clients and the vendors to be kept in confidence. In a 
further embodiment, the clients are healthcare providers and the vendors are bill collectors, 
insurance companies, hospitals, claims adjusters, etc. The relationships between these clients 
and vendors necessarily involve personal information of patients and the practices of the health 
care providers. The VSMS can be used effectively in various other situations where a client 
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must pass information to a vendor that is to remain confidential The above are disclosed merely 
as examples. 

[0022] Although the present invention has been described and illustrated in detail regarding a 
specific example of a vendor security management system, such explanation is to be clearly 
understood that the same is by way of illustration and example only, and is not to be taken by 
way of limitation. Other modifications of the above example, which may be made by those 
having ordinary skill in the art, remain within the scope of the invention. Thus, the spirit and 
scope of the present invention should be defined only by the terms of the claims. 
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